libretro/scummvm
1
0
Fork 0
mirror of https://github.com/libretro/scummvm.git synced 2025-02-03 01:15:58 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

KYRA: (LOL) Fix buffer overflow in _lastOverridePalFile

Browse Source 
It was storing filenames of length 12 in a char[12] buffer.
Fixes bug #9627.
This commit is contained in:
Willem Jan Palenstijn 2016-10-25 23:11:13 +02:00
parent 97bc65e82f
commit b4515d0872
2 changed files with 7 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
engines/kyra/lol.h
View File

@ -987,8 +987,7 @@ private:
uint16 _specialGuiShapeY; uint16 _specialGuiShapeY;
uint16 _specialGuiShapeMirrorFlag; uint16 _specialGuiShapeMirrorFlag;
char _lastOverridePalFile[12]; Common::String _lastOverridePalFile;
char *_lastOverridePalFilePtr;
int _lastSpecialColor; int _lastSpecialColor;
int _lastSpecialColorWeight; int _lastSpecialColorWeight;

14
engines/kyra/scene_lol.cpp
View File

@ -303,12 +303,10 @@ void LoLEngine::loadLevelGraphics(const char *file, int specialColor, int weight
_lastSpecialColor = specialColor; _lastSpecialColor = specialColor;
_lastSpecialColorWeight = weight; _lastSpecialColorWeight = weight;
strcpy(_lastBlockDataFile, file); strcpy(_lastBlockDataFile, file);
if (palFile) { if (palFile)
strcpy(_lastOverridePalFile, palFile); _lastOverridePalFile = palFile;
_lastOverridePalFilePtr = _lastOverridePalFile; else
} else { _lastOverridePalFile.clear();
_lastOverridePalFilePtr = 0;
}
} }
if (_flags.use16ColorMode) { if (_flags.use16ColorMode) {
@ -361,8 +359,8 @@ void LoLEngine::loadLevelGraphics(const char *file, int specialColor, int weight
memcpy(_vcnColTable, v, 128); memcpy(_vcnColTable, v, 128);
v += 128; v += 128;
if (_lastOverridePalFilePtr) { if (!_lastOverridePalFile.empty()) {
_res->loadFileToBuf(_lastOverridePalFilePtr, _screen->getPalette(0).getData(), 384); _res->loadFileToBuf(_lastOverridePalFile.c_str(), _screen->getPalette(0).getData(), 384);
} else { } else {
_screen->getPalette(0).copy(v, 0, 128); _screen->getPalette(0).copy(v, 0, 128);
} }